Saturday, February 2, 2019
Stratosphere
STRATOSPHERE
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Stratosphere, what is a retired machine from the Hack The Box pentesting platform:
https://www.hackthebox.eu/
2 - ENUMERATION
- Stratosphere's IP is 10.10.10.64:
- Scanning with Nmap:
- Connecting with the browser:
- Bruteforcing with Dirbuster and the medium size directory list:
- Dirbuster finds folders like /manager or /Monitoring:
- Going to /Monitoring we are redirected to this web page:
- Clicking Sign On:
- In both cases let's notice the presence of the extension .action, what is a class used by Apache Struts:
https://svn.apache.org/repos/asf/struts/archive/trunk/struts-doc-1.1/api/org/apache/struts/action/Action.html
3 - EXPLOITATION
- Apache Struts is vulnerable to multiple exploits, like explained at CVE-208-11776:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776
- There are a lot available exploits, so let's take for instance the Python script struts-pwn:
- Downloading to Kali:
- Reading README.md we find an example of usage:
- Now let's check that the script works (by default it runs the command id):
- Also, we can use the script to read /etc/passwd:
... etc ...
- Listing /home content:
- Listing richard's folder content:
- Reading db_connect we find credentials for databases ssn and users:
- Showing tables from database users we find the table accounts:
- Selecting * from table accounts we find a password for user richard:
- Connecting to SSH with user richard's credentials we get a low privileged remote shell:
richard:9tc*rhKuG5TyXvUJOrE^5CK7k
4 - CAPTURING THE 1st FLAG
- Reading user.txt:
5 - PRIVILEGE ESCALATION
- However access to the root folder is denied, so we need Privilege Escalation:
- User richard has got some sudoer privileges:
- Reading test.py content it seems that it holds some encoding/decoding and hashing processes:
- Executing test.py, just in case, it does not show any output:
- Let's see that test.py imports hashlib, so we can write hashlib.py in this way:
- Now, just following the sudoer message and executing the command a root shell is achieved:
6 - CAPTURING THE 2nd FLAG
- Reading root.txt: